-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove deprecated Ruby. Upgrade bundler. Fix failing tests #67
Conversation
c707bdb
to
ecc08e0
Compare
The HSTS Preload check is failing because the cert expired for https://oskuro.net/ Loos like an oversight (missing cron renewal?) https://www.sslshopper.com/ssl-checker.html#hostname=oskuro.net |
df1ebc6
to
d67205b
Compare
I kinda cheated here and removed a test as the cert for the domain expired. Tests are passing again. I opened an issue on chromium/hstspreload#115 |
d67205b
to
ef29a7d
Compare
@majormoses sorry to bug you again. This fixes some of the test issues but not the failing HSTS test which I've removed in ac7196a. I suspect that's a happy medium as the parent issue has been in limbo for some time. Also, having passing tests would be nice so we can add this #66 |
Anyone available to take a look at this? Perhaps adding a note saying the test is disabled (and adding an ignore) is the better approach. Would love to see this merged and #66 review with passing tests. |
Gentle ping @rwky ^^ re: failing HSTS preload test (w/warnings) |
Also the |
Hey so I think we should rather than remove the test update it to something we can trust. While I can't guarantee my cert wont ever expire since software by its nature we can use https://benabrams.it which is not currently expired and has the appropriate headers and preloading: https://hstspreload.org/?domain=benabrams.it. I see we specifically need something with warnings...if someone can give me instructions on what I need to setup to make it "sorta wrong" I can try setting something up over the weekend. I have some existing DNS entries we can also try testing if it helps: https://github.com/sensu-plugins/sensu-plugins-dns/blob/master/test/integration/helpers/serverspec/check-dns-shared_spec.rb |
If I'm not mistaken here are some of the warning conditions https://github.com/chromium/hstspreload/blob/master/header_test.go#L148-L201 |
@majormoses any luck or should I dig in more to provide guidance? |
Sorry I didn't get around to this. Hopefully I have the time and will take a look this weekend. I am also gonna see if there is any interest on the sensu inc side to host some testing infra for this. |
Okay so I have 2 local failing tests in master branch right now.
Note:I have to say... the fact that the anchor and cert checks requires a shell out to openssl commandline is a bit unnerving to me. |
@phumpal sorry been busy, I have not had time to look into setting this up. I have reached out to some folks at Sensu Inc to see if they are willing to help out here as I can see the value that it would provide the community to have some test infra available for ci and development. |
No doubt, I am 👍 on it. It's one of the older checks while we have written many plugins to not rely on shell outs they do exist and in some cases are the only viable option as there is no native solution in the language. Take for example raid checks for a proprietary system where they provide a binary you can use but are not going to write client/language sdks. |
One other thing... right now the cert used in the anchor test would need to also need to account for the openssel 1.0 or 1.1 variant being used. For openssl 1.1 -> 'i:O = Digital Signature Trust Co., CN = DST Root CA X3' There's probably some way to do that conditional switch out in the spec_helper.rb and then reference whatever variable the spec helper tests. We could force the travis environment to be something newer that has openssl 1.1 and just live with it, or vice versa. The important thing is to fix the regexp in the 'bin/check-ssl-anchor.rb' as that will cause the check to fail on the final host. |
One last thought, We could let the anchor cmdline option encode a regexp.. that way the test could use it. Yeah I think I like that.. I'm gonna prototype that change as well. |
I'm gonna prep another pull request that will fix the anchor check and anchor check test by making use of the regexp. I'm going to make it so its backwards compatible, by introducing a new cmdline option to treat the anchor as a regexp instead of as a normal string. |
Okay I have a new branch up with a PR #70 that addresses the failing tests as I found them. I was able to test the new anchor regexp logic on Fedora with openssl 1.1 and Centos7 with openssl 1.0 So that looks good. The preload warning test I just disabled as it can't be made reliable.. until someone can identify a domain guaranteed to produce a warning from the online lookup. |
Take a look at this: this has everything we need to do in check-ssl-anchor.rb and more |
Okay New PR #71 is now up with a pure Ruby alternative implementation for the |
Hey @phumpal Can you rebase this PR against master now that we've gotten my related PRs merged. |
ac7196a
to
bf16f16
Compare
@jspaleta rebased against master. PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -4,6 +4,8 @@ This project adheres to [Semantic Versioning](http://semver.org/). | |||
This CHANGELOG follows the format listed [here](https://github.com/sensu-plugins/community/blob/master/HOW_WE_CHANGELOG.md). | |||
|
|||
## [Unreleased] | |||
- Remove ruby-2.3.0. Upgrade bundler. Fix failing tests (@phumpal). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be under the Breaking Changes section but we will fix that up for you when we release (hoping to devote some time to sensu projects tomorrow).
Pull Request Checklist
Is this in reference to an existing issue?
General
Update Changelog following the conventions laid out here
Update README with any necessary configuration snippets
Binstubs are created if needed
RuboCop passes
Existing tests pass
New Plugins
Tests
Add the plugin to the README
Does it have a complete header as outlined here
Purpose
Known Compatibility Issues